locked
Computer Certificate Renewal - Failing RRS feed

  • Question

  • Greetings,

    System setup:  Server 2008 R2 with "Network Policy and Access Services" role configured to hand out wireless machine certificates to Windows 7 workstations.

    This has been set up for a year and has been working well. We have a groups policy which allows for auto-enrollment and all our workstations which are in the correct OU receive a certificate when thye connect to the network.

    The machine certs are good for a year.

    We are now approaching the end of the first year since we implemented this system and we are starting to see some of our workstations failing to connect to the wireless network.  When we look at the certificates on the workstation we see 2 certificates now (as opposed to the one that was there previously).  One of these is expired and one is current with an expiration date a year from now.  When we manually delete the expired certificate, we are able to connect to the wireless.

    Apparently when the certificate is renewed, a new certificate is dropped down, but the old certificate is not removed.  When the machine tries to connect the old cert is found and the connection fails.

    What I think should be happening is that the certs should be renewed not replaced, but I can't see anyway to enforce this.

    I know that when I manually renew the certificate on the workstation I have 4 choices:

    Request Certificate with new key.

    Request NEW Certificate with the same key

    Renew certificate with new key

    Renew this certificate with the same key

    What appears to be happening is that the workstations are doing a request, not a renew.

    I have been through my Radius config and the GPO and can't find anything that should affect this.  I know that the GPO is being applied to the machines, and I'm about 99% sure that the GPO is correct.

    Any ideas where I should be looking?

    Thanks,

    John Morgan

    Friday, December 13, 2013 10:06 PM

Answers

  • Hi,

    Check your configuration, confirm that the following option is checked.

    Renew expired certificates, update pending certificates, and remove revoked certificates

    Configure Certificate Autoenrollment

    http://technet.microsoft.com/en-us/library/cc731522.aspx

    You can also manually revoke the expired certificate in CA.

    Hope this helps.

    • Marked as answer by Daniel JiSun Thursday, December 19, 2013 1:28 AM
    Monday, December 16, 2013 3:19 PM

All replies

  • Hi,

    Check your configuration, confirm that the following option is checked.

    Renew expired certificates, update pending certificates, and remove revoked certificates

    Configure Certificate Autoenrollment

    http://technet.microsoft.com/en-us/library/cc731522.aspx

    You can also manually revoke the expired certificate in CA.

    Hope this helps.

    • Marked as answer by Daniel JiSun Thursday, December 19, 2013 1:28 AM
    Monday, December 16, 2013 3:19 PM
  • Thanks for the response Ushadi, but I think it's a little premature to have it be marked as the answer.

    I have those options enabled.

    I am having a hard time inserting a picture here, so you will have to take my word for it. :-)

    We are seeing the symptoms described here:

    http://support.microsoft.com/kb/2494172/en-us

    What we are trying to figure out is why the old certificate is being left on the machine.  Our understanding is it should be deleted, or archived, when the updated cert is downloaded.

    Thursday, December 19, 2013 5:06 PM